Trust and Temptation in the Internet as a Shared Commons

As the “Snowden leaks” continue in their revelations and unraveling of the twisted web of government surveillance, it is becoming clear that the foundation of trust in the Internet as a shared commons has been thoroughly undermined.

When the underlying infrastructure, the logistical supply chain and even, as some leaked documents hint at, the encryption relied on commercially by the majority of the world, has been as thoroughly undermined and coopted as has been reported, any notion of trust dissipates.

Recriminations from China against the US Government and its allies came swift, but did not approach anywhere near the hysterical pitch the western media and blogosphere reached during the APT1 mass-panic.

Louder and more persistent criticism however came from many of the exposed targets of the espionage activity – many of whom consider themselves allies and trading partners, and have a disturbed and angry electorate to placate. Plowing with full force into this pileup is also a matter of nationalistic and commercial interests. In Germany for example, there is a noticeable wave of media, industry groups and German businesses pushing the label “Security made in Germany”. The dawning realization that there are barely enough alternative vendors in Germany, or most other countries for that matter, to make that move even if they could and were able to, has not appeared to have sunk in quite yet.

We are told there is a difference between Chinese and Western hacking and surveillance, aside from the differences in approach and utilized attack vectors. The US and other fingered actors possess technological and situational advantages due to their integral role in managing the critical shared infrastructure that underpins the global network.

The Chinese do not just use it for national security purposes, they also abuse the intelligence thus gathered economically. The United States, categorically, do not.

Other than an appeal to believe in the moral superiority of American spies and intelligence agencies, we are offered no further reassurance.

The problem with this argument, even if taken at face value, is similar to that of the Chinese. The abuse and misuse of the gathered data cannot currently be controlled. That is the first lesson of both the Snowden and also preceding Manning affairs.

We only know about these two incidents, because they were intentionally leaked. Can the same be said, if either had instead opted to sell the pilfered intelligence to the highest bidder? Or if they had been purposefully planted by an interested party?

In the same vain of thinking, how many times has this been done before? We really can’t tell and will never know. More worryingly, the same seems to be the case for the affected agencies and Military and Intelligence businesses, who also seem unable to even determine the scope and content of the taken material. If you were wondering why so many other countries are cooperating in the attempt to limit the damage, it is because no one knows what skeletons are yet to pop out of the closet.

This leaves one big question hanging in the air. If they cannot tell what was taken even after they are aware of the breach, how on earth could they assure anyone that the harvested intelligence is not being used for economic benefit?

Apparently, all it takes for unfettered access to top secret intelligence data is to obtain a job at any one of the big government contractors, who seem to apply for Top Secret clearance for all and sundry, it seems the cleaning staff included.

Even the security clearance vetting system is under scrutiny, prompting congressional hearings and investigations. The picture that emerges here so far is one of rampant negligence and abuse. This was of course to be expected, considering the increase in demand for security professionals, of which there will not magically be more just because the government and military need them. That recruitment standards and quality suffer, and the vetting process lacks in due diligence, is a natural consequence of the rash and hasty rush to bulk up the nations computer defenses after the self-inflicted panic following the APT1 report, NY Times and related hacks.

Other insights into how the intelligence agencies monitor and maintain data security even within their own ranks are also not encouraging. From Loveint to a wanton willingness to flaunt the law, Europeans are not hearing much to provide reassurance.

It is unavoidable to draw the conclusion that the scope and vector for spying on the spies, so to speak, is broad enough to warrant concern. To believe that someone would be able to get access to all of that data and not try for a competitive advantage, especially when the process is so prone to abuse, is a ridiculously naïve position. Even excluding American private interests, the system is just as open for abuse by foreign entities.

Even if this were possible, the fact that this data has been gathered and is apparently accessible to such a wide range of people also poses other problems. The first is that even though there may not be any cause or impetus to use the stored intelligence for economic reasons today, there is no guarantee that this will still be the case tomorrow. Political and economic interests change over time. That data will still be there.

Yet another complication to afflict the provided narrative, is the issue that many of the private contractors, and indeed even government agents via the revolving door, will for the most part move on into other companies, agencies or roles. The information they have seen and learned will not be forgotten. Even assuming someone has the principles and discipline to not consciously use the information from that time, it will still be there in the back of the mind. Of course, this is always a risk of intelligence gathering and analysis, but due to the scale and numbers of actors involved, many who also have other business interests aside, this risk will grow respectively.

This episode is also far from over – the leaks are still ongoing, and similar incidents are also not unlikely either. Like any iterative process, the leaking of such material will mature and evolve. The threat of prosecution may dissuade some, but others will look at the mistakes that Julian Assange, Bradley Manning, and Snowden have made, and they will learn from these and avoid the same pitfalls.

At the very least, this incident will encourage and foster a security industry outside of the United States, a greater push towards shared governance of the Internet, and it will impact the future success and growth of US cloud, security and tech providers successes worldwide in the future. Considering the importance of the US tech sector, this will impact America visibly, and understandably, Google, Microsoft and other US businesses are already applying pressure to the US Government and are ramping up efforts to distance themselves from the fallout. Whether this will be successful remains to be seen.

I also predict that it will not be long before the first incident of this data being abused economically by a western party emerges. It will put the final-nail-into- the-coffin of trust into anyone unilaterally governing the Internet.

We will either have a world then, where the responsibility for the Internet is shared, and trust can be reestablished, or we will have a world where the Internet undergoes a process of balkanization. The second option would wind back the clock of globalization and international mutual trust by decades. Which one we will find ourselves in, will depend greatly on the latest developments, including what will still be leaked, and more importantly, what actions the United States will take to reign in its intelligence machine and to reassure its allies.

Oliver Rochford is Research Director at Tenable Network Security. Oliver is a recognized expert on threat and vulnerability management as well as cyber security monitoring and operations management. He previously worked as research director at Gartner. He has worked as a security practitioner and white hat hacker for Tenable Network Security®, HP Enterprise Security Services, Verizon Business, Secunia® (now Flexera Software), Qualys®, and Integralis (now part of NTT Com Security).